CVE-2026-11487
MEDIUMNeovim View Branch secure.lua M.read command injection
Title source: cnaDescription
A flaw has been found in Neovim up to 0.12.2. Affected by this issue is the function M.read of the file runtime/lua/vim/secure.lua of the component View Branch. Executing a manipulation of the argument path can lead to command injection. It is possible to launch the attack on the local host. The exploit has been published and may be used. This patch is called f83e0dcaf8cf18de94828341b0a1a61a86c75baf. A patch should be applied to remediate this issue.
References (8)
Core 8
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-369107 | Neovim View Branch secure.lua M.read command injection
https://vuldb.com/vuln/369107
Signature, Permissions Required signature
permissions-required
VDB-369107 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/369107/cti
Third Party Advisory third-party-advisory
CVE-2026-11487 | CVE Analysis and Report
https://vuldb.com/cve/CVE-2026-11487
Third Party Advisory third-party-advisory
Submit #834495 | Neovim Neovim <= 0.12.2 command injection
https://vuldb.com/submit/834495
Exploit exploit
issue-tracking
https://github.com/neovim/neovim/issues/39914
Patch issue-tracking
patch
https://github.com/neovim/neovim/pull/39918
Product product
https://github.com/neovim/neovim/
Scores
CVSS v3
5.3
EPSS
0.0092
EPSS Percentile
55.5%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-74
CWE-77
Status
published
Products (3)
None/Neovim
0.12.0
None/Neovim
0.12.1
None/Neovim
0.12.2
Published
Jun 08, 2026
Tracked Since
Jun 08, 2026